CVE-2026-47104

Name of the Vulnerable Software and Affected Versions libusb versions prior to 1.0.30

Description A one-byte out-of-bounds read exists in the parse iad array() function within descriptor.c. This occurs when a malformed USB descriptor is supplied where the bLength equals the size minus one, causing the bounds check to utilize the original buffer size rather than the remaining size. In virtualized environments with USB passthrough, attackers can use the functions libusb get active interface association descriptors or libusb get interface association descriptors to provide crafted descriptors, reading one byte past the end of the malloc allocation and triggering a denial of service.

Recommendations Update to version 1.0.30 or later.